Users of Valve Corp.’s popular gaming service Steam are being targeted by hackers using novel browser-in-the-browser attacks.
BitB attacks first emerged in March and involve the use of a simulated login window with a spoofed domain within a parent browser window to steal credentials. As detailed by researchers at Group-IB Global Pvt. Ltd., Steam users are being duped by the BiTB attacks that start with a phishing campaign.
To trick users into handing over their credentials, those behind the attack lure victims to a fake website that contains a login button with messages offering various offers such as joining a game team or tournament, purchasing discounted tickets to cybersport events and more. In another case, viewers of a gameplay video were given the option to visit another resource to receive a free in-game item.
Where users are easily tricked is that those behind the campaign take advantage of Steam using a pop-up to login to their accounts by presenting victims with a fake version of this pop-up. The researchers note that the fake pop-up “has a fake green lock sign, a fake URL field that can be copied and even an additional Steam Guard window for two–factor authentication.”
The fake pages themselves are typically entirely copied from legitimate pages. In many cases, the pages also include an alert about data being saved on third-party resources.
In July, more than 150 fraudulent resources mimicking Steam were found. How many victims have fallen for the fake pages and BitB is not clear, be it that the researchers cite multiple examples of users claiming to have had their accounts stolen, including accounts valued as highly as $300,000.
Discussing the news, Alon Levin, vice president of product management at browser security provider Seraphic Security Ltd. told SiliconANGLE that the BitB approach is rising in popularity among threat actors looking to create fake login forms and sell access to accounts.
“In this case, displaying fake browser windows and login forms has allowed this attack method to access the accounts and credentials of Microsoft and Google users,” Levin explained. “Visitors are requested to login and are then redirected to a fake window, where credentials are stolen after being entered by the user.”
“Although Browser-in-the-Browser attacks are becoming a more common tactic with cybercriminals, internet users can mitigate these threats by leveraging comprehensive browser security,” Levin added. “Though users can easily mistake such sites as the one targeted in this phishing attempt for being legitimate, a system that is based on execution flow analysis can thwart these attacks easily.”
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.